I recently ran into this issue of the Sectigo Root certs expiring on May 30th of this year: https://gist.github.com/minaguib/c8db186af450bceaaa7c452ba6a9901b
I updated the certificate chain on our servers and the change was seamless for all employees and users except ONE USER.
The single user experiencing problems is loading an invalid chain for our website. There is screenshots below.
Server-Side Notes:
- The server has been updated and confirmed the certificate & chain is good to go (screenshot attached).
- I have one single client that is still loading an invalid cert chain.
- The server terminating TLS is an Amazon ALB instance.
- The server certificate chain has been validated using an online service for sanity. There is a screenshot below showing this.
Client-Side Notes:
-
Deleted any "expired" or "invalid" entries in the Mac Keychain.
-
Searched the Mac Keychain for any reference to "AddTrust"
-
Fully cleared all browser cache. Chrome is up to date Version 83.0.4103.97 (however Safari also fails, so it's not the browser I don't think)
-
Date/Time checked
Best Answer
Figured this out.
The user is on MacOS 10.11 (El Capitan) which doesn't have modern root CA's and Apple stopped updating the OS in 2019.
Because of this, the Mac Keychain didn't have the updated Root CA so my site certificate wasn't trusted.
Clients Most Notably Impacted:
More details: